Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1018s -
max time network
1020s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
13/07/2024, 21:16
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
lokibot
http://blesblochem.com/two/gates1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 3780 Lokibot.exe 4264 Lokibot.exe 4912 Lokibot.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/3780-458-0x0000000000B10000-0x0000000000B24000-memory.dmp agile_net behavioral1/memory/4264-495-0x0000000002CE0000-0x0000000002CF4000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3866437728-1832012455-4133739663-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Lokibot.exe Key opened \REGISTRY\USER\S-1-5-21-3866437728-1832012455-4133739663-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Lokibot.exe Key opened \REGISTRY\USER\S-1-5-21-3866437728-1832012455-4133739663-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Lokibot.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 raw.githubusercontent.com 49 raw.githubusercontent.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3780 set thread context of 4912 3780 Lokibot.exe 111 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3866437728-1832012455-4133739663-1000\{884AF4A1-E73E-4999-BF15-E19FF2ECDEB0} msedge.exe Key created \REGISTRY\USER\S-1-5-21-3866437728-1832012455-4133739663-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 4113.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Lokibot.exe:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 2360 msedge.exe 2360 msedge.exe 1508 msedge.exe 1508 msedge.exe 3812 msedge.exe 3812 msedge.exe 896 identity_helper.exe 896 identity_helper.exe 2828 msedge.exe 2828 msedge.exe 3852 msedge.exe 3852 msedge.exe 3780 Lokibot.exe 3780 Lokibot.exe 3780 Lokibot.exe 3780 Lokibot.exe 4264 Lokibot.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3780 Lokibot.exe Token: SeDebugPrivilege 4264 Lokibot.exe Token: SeDebugPrivilege 4912 Lokibot.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1632 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1508 wrote to memory of 1708 1508 msedge.exe 78 PID 1508 wrote to memory of 1708 1508 msedge.exe 78 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2248 1508 msedge.exe 79 PID 1508 wrote to memory of 2360 1508 msedge.exe 80 PID 1508 wrote to memory of 2360 1508 msedge.exe 80 PID 1508 wrote to memory of 3424 1508 msedge.exe 81 PID 1508 wrote to memory of 3424 1508 msedge.exe 81 PID 1508 wrote to memory of 3424 1508 msedge.exe 81 PID 1508 wrote to memory of 3424 1508 msedge.exe 81 PID 1508 wrote to memory of 3424 1508 msedge.exe 81 PID 1508 wrote to memory of 3424 1508 msedge.exe 81 PID 1508 wrote to memory of 3424 1508 msedge.exe 81 PID 1508 wrote to memory of 3424 1508 msedge.exe 81 PID 1508 wrote to memory of 3424 1508 msedge.exe 81 PID 1508 wrote to memory of 3424 1508 msedge.exe 81 PID 1508 wrote to memory of 3424 1508 msedge.exe 81 PID 1508 wrote to memory of 3424 1508 msedge.exe 81 PID 1508 wrote to memory of 3424 1508 msedge.exe 81 PID 1508 wrote to memory of 3424 1508 msedge.exe 81 PID 1508 wrote to memory of 3424 1508 msedge.exe 81 PID 1508 wrote to memory of 3424 1508 msedge.exe 81 PID 1508 wrote to memory of 3424 1508 msedge.exe 81 PID 1508 wrote to memory of 3424 1508 msedge.exe 81 PID 1508 wrote to memory of 3424 1508 msedge.exe 81 PID 1508 wrote to memory of 3424 1508 msedge.exe 81 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3866437728-1832012455-4133739663-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Lokibot.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3866437728-1832012455-4133739663-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Lokibot.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcd6ee3cb8,0x7ffcd6ee3cc8,0x7ffcd6ee3cd82⤵PID:1708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:22⤵PID:2248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:82⤵PID:3424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:12⤵PID:2340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:12⤵PID:2140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:12⤵PID:5000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4004 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:12⤵PID:2860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵PID:3316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:12⤵PID:4820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:12⤵PID:4680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:12⤵PID:3720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:2580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:12⤵PID:3452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3272 /prefetch:82⤵PID:3812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5184 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:12⤵PID:1076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:12⤵PID:2816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:12⤵PID:840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:12⤵PID:872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:12⤵PID:4808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:12⤵PID:900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6420 /prefetch:82⤵PID:2824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3136 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3852
-
-
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3780 -
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4912
-
-
-
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,17166917077413428533,5488834637463990192,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6732 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1380
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1532
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:460
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
425B
MD5bb27934be8860266d478c13f2d65f45e
SHA1a69a0e171864dcac9ade1b04fc0313e6b4024ccb
SHA25685ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4
SHA51287dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb
-
Filesize
152B
MD5b26cef15e9a3cc82fb429a163f96ac6b
SHA1718ac4822198b1a21f43b6941d0d8df107fd0015
SHA25673af2c2ebc9187187d887e4abc8b04561c55f36f7f9cdf20293d522ce5c2f506
SHA51287f96314ea9a1f394d24de5657e61cc6809c961fd05280b4875a06bb928f4e19dadf725fcd0417f16c93cdceca349dd27dd95d0f8f0f756020322803b2f91cdc
-
Filesize
152B
MD55efcc43219d778bd14d32016100f2708
SHA1b06f6726698a68781854bc342a54e06bc4562217
SHA256a7534c7d125854f7fe662a7951443cad1d1ff0d8d3eb537dde5a381cd3415666
SHA5126bbdf16b41bbc3ac5d4e2b93683a712d56eb58719799f69cb7240a77f799928b48af2771f76d9d7829846db12d0116e3a8ea6c5d0f02d5e840db1b3c018480b4
-
Filesize
211KB
MD5151fb811968eaf8efb840908b89dc9d4
SHA17ec811009fd9b0e6d92d12d78b002275f2f1bee1
SHA256043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed
SHA51283aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674
-
Filesize
23KB
MD5cba68946d3694c460fe5acc9d751d427
SHA13e93f6164d0ed467f70062275ff14f2aff33fa0e
SHA256073de9884f36c190971412d4d109e4bdcd3f494d530964dd4686341454654c7f
SHA512e6cf0ee7039b02e5bb83c11640aab6f897ae7227b18db00befaf5180bb5fa5d85ef2a0f86e9ada1150348db56ee0a4f6756d33bafbb849e2cee3180afe3b0e5a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5e05a66daa1835cf483f25ffbc5fe0db1
SHA1ebd1a27f6d8961c77184a178d75d4d20284e166a
SHA256f6eaf716caf839fcc475870c24685791d2f0d22217037910888bfe0f61e6eec7
SHA51265deae8b822bcfb1923b6916229f57d56ffdc81957d32561fec1d72cd7c039bd6e9e74ebac273a8b8821eafcb6f71b76e4db0a3fe281d27ce568b4fb73d602c1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD50cffb67078fadca86bb30d1c474f035f
SHA1694163e38aba61c4b4444a20625b09c46f211235
SHA25647cf99233a444e8eb77e94f9c0e9254e2b9b27859ecb2bc95882581e81e4a5d0
SHA51235a57e65030f46d35f6a5530301e3d84853340200dc35930bbf8074fccd3368769bc52fbe95c7c0c2d565c27f947579cae35805b855bad3a2980a9dbfb587179
-
Filesize
1KB
MD5ad029c438ebb43f36e3aec980c7e736e
SHA18e8346dc64bddb7e832dac468d78766323fe3ecf
SHA25686166626391fc89e24beb380618cd0dba9f3b2cd4210de7d86442f9e0fce30d8
SHA5120a1103737f809812007339dd3ec438a80e8877644728b074be490b67d6819392883a4b3a85cdb56b396154b68b4b14538f151601a5902e60f170a7ff4392735f
-
Filesize
1KB
MD5bbfec1bf67eeddbb875b9d821f950a94
SHA1938c02fbf9a3afc06870b3052381c9a9d5bb4423
SHA256fa32fc060912481af9b91fe0565c8628bc40cb8f91cb8e74ed25e9f55025bb8a
SHA512ed0c5f8adc41ba266e0508c1d950f4f809d42a3dcd768c5904cd23ace564f663651db9121475fdcc8f5de86af34366ea2beadef5c1d818faa7a076531d483a99
-
Filesize
5KB
MD584b602a7bca470ea84a103c330a36e32
SHA1407e2c33f4774ab82564fa377861564ba7ba4b57
SHA2561a26a35ad92928a2f00097903df636310bc5a181e220b48a49b58295d912da32
SHA512b728391d2998fd64fa9a413a1cb3ab1ff4d0a3be74f2468d36c280e0b5e5285368444d2844438aacf552731ce92eb5716bfd3307b7e4a074015abf2b4112257a
-
Filesize
6KB
MD568701e57359eb3713cfde7a46b9038eb
SHA1a3751c0ecd37ac31f9a07322409c151fd5d569fc
SHA2566388fdb1f632f25687235a8f7de70a0725060fdabcb7d8802307dc0ec039f88f
SHA5121c40bc6fb6c9c78d213719e09702152d7624d6bb3ad8433b8eba1afba3e03ba23057d653f00d1546ba0f16fe9f7015506f0695d052c41bfee97d9c83806a17ae
-
Filesize
7KB
MD52b4413e4cd02ab9f919733241a4d2065
SHA18a25b45eb0834bc1fed80447d93bf39e85f101d5
SHA256f1bb2145b2e8d4e68b5d2e3b2935fda54868b38cd4a2900184def8aa6110e5e6
SHA512d3a8d6b2952e2dee74f3b45cdcb1523e1175a303d73976e7ea2f21589e10040492ac4acaf8830ce5ff6163c2378fe1b411cd6ee80165862534af6fc863ebdefc
-
Filesize
1KB
MD5d2e8a828bcc11199c2152da3dc8a1d2c
SHA17b883c47095f42c7aeeba59d9be2ad8c43aa7014
SHA256fda91d57d455c729e96283867124d746a71e4d5fc27a6328d1e0b5156b537788
SHA51284ef7eec7ef5ff077a46c9fab6ff8e32ca65e8f85922d7132142ff45d7d2868e84e23880ecf907a4f259daec101ba706a3eaf63949f87269da6565ae70264e75
-
Filesize
1KB
MD587ae59d21b6f385de17ef7244ebc4e52
SHA1e9eaa9222dea1744e27cc46a4f8238a34530e5b9
SHA256337d7887d41d3713613bfd9b12c05f644cc6647768f3c8218cd4b04124a7cf96
SHA512563c3da89523087a5cfc14b383cf25fe6bd8d83bc4338a9d9f09a1d0d2934264f30005a93abab2d5431c937495bf12acd037488055271c9a4532e4a91b8e86d8
-
Filesize
1KB
MD524362ba6fd21db64e128fe35a3b965da
SHA187dc1f2cbd3a0960646486afe2ab1845fcfdd13d
SHA256d9a13b3fd1058c3fac9864fe17496cece4b5ddc017d3cf3777d320dc2adb159c
SHA51269d3eec7e433b403a325dc255320c3f3fea1405cc1612e596a994705fcb18af8612447b96ca3fd8e03ce902bd63b0e226e4c918c75bc13f683676f858b4b4520
-
Filesize
1KB
MD5a9868100cf3a55dd9cdf9c6df2fe7ce2
SHA17d5193176b4a014b1b85b90b1d8aa2d3d335a8d0
SHA256e16539a8cb940f3ab0627037c64c9334c5f29c4eea726e49690499c4dc08490e
SHA512d2724713d2d74e2aee05ee105d967fca0bac14f4e3cb3bb0a0a37faf4563dd0343a97315a8b6e7b230dcb2537a930bb03dd15332d2a23c4afd2819f659521c38
-
Filesize
1KB
MD5ef3868cdc7a7ef22f798730d0e2da104
SHA14f1d29bfbdc6e31f249589052d185d5e5dc2c1b6
SHA256b16697f9eacaf73f476a139c1b1c826c56d6cbbc5f2eac4379426b12e80c4a1b
SHA5124e10107ab3043475a0e60df6ddb66f631b4f73626730a8962bf4eed6446d0ef7d24086f5a9656bb7dd36aafac3f3f73578da10af4305c212c456d0589e2cd878
-
Filesize
1KB
MD537def7425e4327ebc256895ead2b02b9
SHA18e551ced0405b10c0542955367c80cf9536abbd6
SHA256cddd70c5c041ead001d7048f84b2b3b8c1111cd30b2c5a422f286527b303b38e
SHA5128c62b793897493eb6cfe7f32f56f9d2cb8464596feae3b6d5a1e40182be696866bf97f2c63f8130400fa91810c4270562d0e8d7d2d33eb8cbe08886a4a6c07d6
-
Filesize
1KB
MD51aa5a3cde16bac6bc65a10766d97b588
SHA1f18aa42ba9b77334a52f7199e3baf62b0db0cb49
SHA256436877207ae6f095d7cbc3a8db6d8e3a69af396ffd92c8092f637fa9859969a5
SHA512872920b34b372d14545f986d6dd5e7663a5c878d3601a4d8285dbf66a8e97b648cf4fa9c1e2d9568dd46940493b2b4b7c1b6d8e9d8284d8d0a14aa34b6709f10
-
Filesize
1KB
MD5a1631c5e9f0e8a8dfef42d9a622c65a1
SHA132c42e0651606fe66474e83f6c2d9e1d4684fe26
SHA2566665b17622a957030cc0c3e91da4cd2bb4a7eb9e5a78632382b67282c4cb93fb
SHA5122472de92a2b4ad4eb4d7fe114f475e72bc498d705fc92584c974532676238fd0758edd2de4e1c7fde7b8eb8a0115486bbb1cd6aa62b6601e91bf40360e834662
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f9e8985c-7efd-4aff-8db1-5f493898f977.tmp
Filesize6KB
MD5839fd8bfd648b99cf15321d41f895737
SHA13665cd93211df3cf29938ee6192d24f79ec6263e
SHA256df36f74aad34eadfeb4c9b06f995b12a7165a9f889e64f8fb0d824cd57ea6d7a
SHA5124c8218c52f3d3688f3a2baf16b195a384353e2fc51eafc7a02317ce6ffe9e62311a61562ef5df59189efc973eddd397543e3365957176dcb0a7e0c4d952a2b07
-
Filesize
11KB
MD54f91a9ccb42b799c7c63d379e71dd143
SHA1eacb2ebcc8b4315fc744fe673809e2bfc30e8545
SHA25643da07e4b9b3cd2a4d9ee1d0bf9ed0531996ad3a51a82c38245ed74e1b26fed2
SHA512dc41c49bd67db05ebb3b3712ee482e24ae0b42c4986406efcd435497659e319585254e74c4ed9cdfb5ed4e5050fd1d6919e603cc8222c3de02a8f8f4415f26b9
-
Filesize
11KB
MD5555f1dc0304b282385e79c6806e9172f
SHA1f63327ac30a349c887dee0ad5555d5ff74c63b5b
SHA2566f32adefa85592d66d6fa42746e00ffb706c51b27c390032888dd8bc12a41ccb
SHA51232268444683a0c644a3bf35bcd49ac937782d7ea1ee29e6c6bf52c968ec048a76261e8f6fb27a64f174875d7272c7aa3743e5f87c18545825677c24f252c4706
-
Filesize
12KB
MD5461797d92fa33004f940efb898d5bf0d
SHA1ef1c0b378290fd59d7b14514c7b7d1a5a6a1102f
SHA2566eaac8781a3239166f5ad977fff5fc3eab11b7a901fb16cc79937c0e6ef04634
SHA512919f4dcfe05dc45fd33d0ca719a6bb14be19fb6b68a857fbe168b54c2f0297ff27e3460b25751ed30f031e7fa8879cd1d317c29abef4cd3c46b39a60e3334673
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5aa1db56ffcb4b44e29bae43c70e6f3c6
SHA1f057d9514a4da16a42028bb1ab1da42000ac2059
SHA256b4d4b3bde87559d205c05d5d8d3b79940972bc823a9e40464d7e76e38348b175
SHA5129ade68a2e0c2184c7ba4d68fa1eef20f809119bf7ed46bb81ef6209c2d9ae874c5c3dd9533eeac43c6fd5ffcedd1d601dd5b91bef824f22fdd956b9cb96920c9
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD56eb9e667030a3414a9dd177950bff298
SHA1b8b9a6b672bf720efdebd893c1be6056231e87d3
SHA2565ea4f46bf6ba39af1e5c39796acef76712d354fab1d190cb2424cd63331566da
SHA5124ba41fbd6202554c12351ccd1acfdf1f49e0a546fc2677e91fa20be8998615d4c41c0b841bc97b7b03f9ec5ecd61a261136539ff5121f839030509a69228b779
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3866437728-1832012455-4133739663-1000\0f5007522459c86e95ffcc62f32308f1_fa64fe2b-1cd7-449d-b1db-d238591a4b8b
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3866437728-1832012455-4133739663-1000\0f5007522459c86e95ffcc62f32308f1_fa64fe2b-1cd7-449d-b1db-d238591a4b8b
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
Filesize
300KB
MD5f52fbb02ac0666cae74fc389b1844e98
SHA1f7721d590770e2076e64f148a4ba1241404996b8
SHA256a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683
SHA51278b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0